| CARVIEW |
- About FIRST
- Mission Statement
- Strategy Framework
- History
- Sustainable Development Goals
- Organization
- FIRST Policies
- Anti-Corruption Policy
- Antitrust Policy
- Bylaws
- Board duties
- Bug Bounty Program
- Code of Conduct
- Conflict of Interest Policy
- Document Record Retention and Destruction Policy
- FIRST Press Policy
- General Event Registration Refund Policy
- Guidelines for Site Selection for all FIRST events
- Identity & Logo Usage
- Mailing List Policy
- Media Policy
- Privacy Policy
- Registration Terms & Conditions
- Services Terms of Use
- Standards Policy
- Statement on Diversity & Inclusion
- Translation Policy
- Travel Policy
- Uniform IPR Policy
- Whistleblower Protection Policy
- Partnerships
- Newsroom
- Procurement
- Jobs
- Contact
- Membership
- Initiatives
- Special Interest Groups (SIGs)
- SIGs Framework
- Academic Security SIG
- AI Security SIG
- Automation SIG
- Cybersecurity Communications SIG
- Common Vulnerability Scoring System (CVSS-SIG)
- CSIRT Framework Development SIG
- Cyber Insurance SIG
- Cyber Threat Intelligence SIG
- Curriculum
- Introduction
- Introduction to CTI as a General topic
- Methods and Methodology
- Priority Intelligence Requirement (PIR)
- Source Evaluation and Information Reliability
- Machine and Human Analysis Techniques (and Intelligence Cycle)
- Threat Modelling
- Training
- Standards
- Glossary
- Communicating Uncertainties in CTI Reporting
- Webinars and Online Training
- Building a CTI program and team
- Curriculum
- Detection Engineering & Threat Hunting SIG
- Digital Safety SIG
- DNS Abuse SIG
- Stakeholder Advice
- Detection
- Cache Poisoning
- Creation of Malicious Subdomains Under Dynamic DNS Providers
- DGA Domains
- DNS As a Vector for DoS
- DNS Beacons - C2 Communication
- DNS Rebinding
- DNS Server Compromise
- DNS Tunneling
- DoS Against the DNS
- Domain Name Compromise
- Dynamic DNS (as obfuscation technique)
- Fast Flux (as obfuscation technique)
- Infiltration and exfiltration via the DNS
- Lame Delegations
- Local Resolver Hijacking
- Malicious registration of (effective) second level domains
- On-path DNS Attack
- Stub Resolver Hijacking
- Detection
- Code of Conduct & Other Policies
- Examples of DNS Abuse
- Stakeholder Advice
- Ethics SIG
- Exploit Prediction Scoring System (EPSS)
- FIRST Multi-Stakeholder Ransomware SIG
- Human Factors in Security SIG
- Industrial Control Systems SIG (ICS-SIG)
- Information Exchange Policy SIG (IEP-SIG)
- Information Sharing SIG
- Law Enforcement SIG
- Malware Analysis SIG
- Metrics SIG
- NETSEC SIG
- Public Policy SIG
- PSIRT SIG
- Red Team SIG
- Security Lounge SIG
- Security Operations Center SIG
- Threat Intel Coalition SIG
- Traffic Light Protocol (TLP-SIG)
- Transportation and Mobility SIG
- Vulnerability Coordination
- Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
- Women of FIRST
- CCB Initiatives
- FIRST CORE
- Internet Governance
- IR Database
- Fellowship Program
- Mentorship Program
- IR Hall of Fame
- Victim Notification
- Volunteers at FIRST
- Previous Activities
- Special Interest Groups (SIGs)
- Standards & Publications
- Events
- Education
- Blog
FIRST Malware Information Sharing Platform (MISP) instance
Introduction
The FIRST Information Sharing SIG, supported by CIRCL, operates a Malware Information Sharing Platform (MISP) instance. MISP is a community-driven software project that enables sharing, storing and correlation of Indicators of Compromise of targeted attacks. The instance is open and automatically enabled for all FIRST members.
Our instance allows FIRST members to efficiently share and store technical and non-technical information about malware samples, attackers and incidents. It also enables members who have not yet gained experience leveraging threat intelligence to connect with a wider community of organizations that have, increasing their own capabilities. It enables them to become more familiar with standard information sharing standards and technologies such as STIX.
The FIRST MISP instance is connected with a wider community of incident response organizations and networks, enabling FIRST members to exchange information beyond the boundaries of the FIRST community.
Features
- FIRST members who have not yet participated in information sharing networks can gradually leverage the features of the MISP instance, and over time learn to apply them within their own organization and networks with other peers;
- Experienced CSIRT with deep knowledge of information sharing can leverage the FIRST MISP instance to share information with other FIRST members in an automated manner;
- The FIRST MISP instance is accessible to FIRST members via both a web interface and an API. The versatile PyMISP library can be used to access the data repository;
- MISP permits export of indicators to various industry standard formats including OpenIOC, STIX (XML and JSON), CSV, and others;
- MISP permits signed and encrypted notifications of new information via PGP, the standard encryption mechanism within the FIRST community.
How does it work?
FIRST members have access to the FIRST MISP instance using their membership certificate at https://misp.first.org.
FIRST members interested in participating in the governance process and operations of the MISP instance are invited to join the FIRST Information Sharing SIG.
More information
More information on the MISP platform is available from https://www.misp-project.org/. Materials from a recent MISP training by CIRCL are available here.
As an open source project, the MISP source can be found in its GitHub repository.
FIRST is grateful to the Computer Incident Response Center Luxembourg for operating the MISP service for the Information Sharing SIG and FIRST members.
MISP Project
The MISP threat sharing platform is a free and open source software helping information sharing of threat and cyber security indicators.